Discussing “Risk Analysis in Software Design”

1 FEB 2006 - Joe Combs

Risk Analysis Defined

…a business-level decision-support tool: it’s a way of gathering the requisite data to make a good judgement call based on knowledge about vulnerabilities, threats, impacts and probability

Key Risk Analysis Concepts• Asset - object to be protected

• Risk - probability an asset will suffer an event of a given negative impact

• Threat - danger source and malicious agent’s motivation

• Vulnerability - defect or weakness in procedure, design, implementation or internal control that can be exploited by an attacker

Key Risk Analysis Concepts• Countermeasures - management,

operational and technical controls that protect the system’s confidentiality, integrity and availability

• Impact - what happens if the risk is realized?

• Probability - likelihood an event will occur, usually expressed as a percentile

Calculating RiskAnnualized Loss Expectancy =

Single Loss Expectancy X Annualized Rate of Occurrence

• often just a ballpark figure but useful for making relative judgements

• other calculations get much more subjective - how do you quantify a soiled reputation?

Risk Analysis in the Lifecycle• Continuous process, not a single stage

• Fits with requirements, design & testing

• 50% of security problems result from design flaws

Risk Analysis Activities

1. Learn as much as possible about the analysis target

2,3. Discuss security issues surrounding the software, determine the probability of compromise

4. Perform impact analysis, rank risks

Risk Analysis Activities

6,7. Report findings, leading the organization to make changes

Note the feedback loop in the process, showing the iterative/ongoing nature of risk analysis

Required Knowledge• Need to build up a consistent view of the

system at a reasonably high level

• What impact does a methodology like Extreme Programming’s “the code is the design” viewpoint have on the limited reach of code-level analysis

Risk Analysis & Requirements• SecureUML - role-based access control models

security requirements for well-behaved applications in predictable environments

Risk Analysis & Requirements• UMLsec - enables modeling of confidentiality, access

control and other security related features

Risk Analysis & Requirements• Abuse Cases - means of understanding how

applications might respond to threats in a less controllable environment

Understanding Business Impact• Broad categories:

• Regulatory• Financial considerations• Contractual obligations

• Categorize requirements as must have, should have, and nice but not necessary• laws & regulations are always must haves unless you’re a

goodfella• careful analysis of potential impact & probability allows you

to categorize financial and contractual obligations

Limitations• The ALE calculation is an

informed guess, not an all knowing Oracle

• Traditional risk-analysis techniques don’t cover all potential threats at a component/environment level

• Modern applications span multiple boundaries of trust

A Practical Approach• Take a forest-level view of

the system: don’t get lost in the trees

• Consider:• threat in each tier’s env• vulnerabilities within each

component as well as dataflows

• business impact of such technical risks

• probability of risk being realized

• feasibility of countermeasures

An Example• SSL might seem to offer

protection between client and web server

• Need to prevent eavesdropping within and between these 2 tiers as well

• Might suggest alternate approaches like message level encryption

Conclusions• Risk analysis focuses on assets, risks, threats,

vulnerabilities, countermeasures, impact and probability

• Risk analysis applies to requirements, design and testing

• Requires analyst to gain an in-depth understanding of the system

• Take advantage of tools & techniques like SecureUML, UMLsec, and abuse cases

Conclusions• Categorize requirements as must have, should

have, nice to have• regulatory issues are must haves• financial and contractual obligations are where the

analysis plays a key role• System level view can help understand risks in

a distributed application